summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2014-08-11 16:38:09 -0700
committerArmin Kuster <akuster808@gmail.com>2014-08-27 21:09:49 -0700
commite6b6816192993b022738d204091348577c8fb45e (patch)
tree0cb52f768a5ffa9bfbab4467c71892056aacfaad
parentfa3c8b475c95ae4d5b20d46e3c7143014709e802 (diff)
downloadmeta-security-e6b6816192993b022738d204091348577c8fb45e.tar.gz
tripwire: Add files for package support
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat
-rw-r--r--recipes-security/tripwire/files/tripwire.cron8
-rw-r--r--recipes-security/tripwire/files/tripwire.sh9
-rw-r--r--recipes-security/tripwire/files/tripwire.txt69
-rw-r--r--recipes-security/tripwire/files/twcfg.txt15
-rw-r--r--recipes-security/tripwire/files/twinstall.sh320
-rw-r--r--recipes-security/tripwire/files/twpol-yocto.txt1107
6 files changed, 1528 insertions, 0 deletions
diff --git a/recipes-security/tripwire/files/tripwire.cron b/recipes-security/tripwire/files/tripwire.cron
new file mode 100644
index 0000000..2035508
--- /dev/null
+++ b/recipes-security/tripwire/files/tripwire.cron
@@ -0,0 +1,8 @@
1#!/bin/sh
2HOST_NAME=`uname -n`
3if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
4 echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
5 echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
6else
7 test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
8fi
diff --git a/recipes-security/tripwire/files/tripwire.sh b/recipes-security/tripwire/files/tripwire.sh
new file mode 100644
index 0000000..4276d10
--- /dev/null
+++ b/recipes-security/tripwire/files/tripwire.sh
@@ -0,0 +1,9 @@
1#!/bin/sh
2HOST_NAME=`uname -n`
3if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
4 echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****"
5 echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
6 # Note: /etc/tripwire/twinstall.sh creates and initializes tripwire
7 # database (i.e tripwire --init).
8 # Example: . /etc/tripwire/twinstall.sh 2> /dev/null
9fi
diff --git a/recipes-security/tripwire/files/tripwire.txt b/recipes-security/tripwire/files/tripwire.txt
new file mode 100644
index 0000000..332d004
--- /dev/null
+++ b/recipes-security/tripwire/files/tripwire.txt
@@ -0,0 +1,69 @@
1Post-Installation Instructions
21. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files.
3Note: Once encoded and signed, the configuration file should not be renamed or moved.
42. Initialize the Tripwire database file. (/usr/sbin/tripwire--init)
53. Run the first integrity check. (/usr/sbin/tripwire--check)
64. Edit the configuration file (twcfg.txt) with a text editor, if desired.
75. Edit the policy file (twpol.txt) with a text editor, if desired.
8
9Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file.
10
11Modifying the Policy File
12You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system.
13
14Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language.
15
16After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software.
17
18Selecting Passphrases
19Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
20Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters.
21
22Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also.
23
24Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database.
25
26Initializing the Database
27In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
28tripwire --init
29
30Running an Integrity Check
31The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
32tripwire --check
33
34Printing Reports - twprint Print Report Mode
35The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used.
36Example: On a machine named LIGHTHOUSE, the command would be:
37./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
38
39Updating the Database after an Integrity Check
40Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is:
41tripwire --update
42
43Updating the Policy File
44Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is:
45tripwire --update-policy
46
47Testing email functions
48Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is:
49tripwire --test
50
51Tripwire Components
52The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore.
53
54System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file.
55
56The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check.
57
58When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail.
59
60The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits.
61
62Tripwire Help
63All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile
64
65-? Display usage and version information
66--help Display all command modes
67--help all Display help for all command modes
68--help [mode] Display help for current command mode
69--version Display version information
diff --git a/recipes-security/tripwire/files/twcfg.txt b/recipes-security/tripwire/files/twcfg.txt
new file mode 100644
index 0000000..131b097
--- /dev/null
+++ b/recipes-security/tripwire/files/twcfg.txt
@@ -0,0 +1,15 @@
1ROOT =/usr/sbin
2POLFILE =/etc/tripwire/tw.pol
3DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
4REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
5SITEKEYFILE =/etc/tripwire/site.key
6LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
7EDITOR =/bin/nano
8LATEPROMPTING =false
9LOOSEDIRECTORYCHECKING =false
10MAILNOVIOLATIONS =true
11EMAILREPORTLEVEL =3
12REPORTLEVEL =3
13MAILMETHOD =SENDMAIL
14SYSLOGREPORTING =false
15MAILPROGRAM =/usr/lib/sendmail -t
diff --git a/recipes-security/tripwire/files/twinstall.sh b/recipes-security/tripwire/files/twinstall.sh
new file mode 100644
index 0000000..7d1b63f
--- /dev/null
+++ b/recipes-security/tripwire/files/twinstall.sh
@@ -0,0 +1,320 @@
1#!/bin/sh
2
3########################################################################
4########################################################################
5##
6## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
7##
8## Copyleft information contained in footer
9##
10########################################################################
11########################################################################
12
13##=======================================================
14## Setup
15##=======================================================
16
17# We can assume all the correct tools are in place because the
18# RPM installed, didn't it?
19
20##-------------------------------------------------------
21## Set HOST_NAME variable
22##-------------------------------------------------------
23HOST_NAME='localhost'
24if uname -n > /dev/null 2> /dev/null ; then
25 HOST_NAME=`uname -n`
26fi
27
28##-------------------------------------------------------
29## Program variables - edited by RPM during initial install
30##-------------------------------------------------------
31
32# Site Passphrase variable
33TW_SITE_PASS="tripwire"
34
35# Complete path to site key
36SITE_KEY="/etc/tripwire/site.key"
37
38# Local Passphrase variable
39TW_LOCAL_PASS="tripwire"
40
41# Complete path to local key
42LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key"
43
44# If clobber==true, overwrite files; if false, do not overwrite files.
45CLOBBER="false"
46
47# If prompt==true, ask for confirmation before continuing with install.
48PROMPT="true"
49
50# Name of twadmin executeable
51TWADMIN="twadmin"
52
53# Path to twadmin executeable
54TWADMPATH=/usr/sbin
55
56# Path to configuration directory
57CONF_PATH="/etc/tripwire"
58
59# Name of clear text policy file
60TXT_POL=$CONF_PATH/twpol.txt
61
62# Name of clear text configuration file
63TXT_CFG=$CONF_PATH/twcfg.txt
64
65# Name of encrypted configuration file
66CONFIG_FILE=$CONF_PATH/tw.cfg
67
68# Path of the final Tripwire policy file (signed)
69SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
70
71
72##=======================================================
73## Create Key Files
74##=======================================================
75
76##-------------------------------------------------------
77## If user has to enter a passphrase, give some
78## advice about what is appropriate.
79##-------------------------------------------------------
80
81if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
82cat << END_OF_TEXT
83
84----------------------------------------------
85The Tripwire site and local passphrases are used to
86sign a variety of files, such as the configuration,
87policy, and database files.
88
89Passphrases should be at least 8 characters in length
90and contain both letters and numbers.
91
92See the Tripwire manual for more information.
93END_OF_TEXT
94fi
95
96##=======================================================
97## Generate keys.
98##=======================================================
99
100echo
101echo "----------------------------------------------"
102echo "Creating key files..."
103
104##-------------------------------------------------------
105## Site key file.
106##-------------------------------------------------------
107
108# If clobber is true, and prompting is off (unattended operation)
109# and the key file already exists, remove it. Otherwise twadmin
110# will prompt with an "are you sure?" message.
111
112if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
113 rm -f "$SITE_KEY"
114fi
115
116if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
117 echo "The site key file \"$SITE_KEY\""
118 echo 'exists and will not be overwritten.'
119else
120 cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
121 if [ -n "$TW_SITE_PASS" ] ; then
122 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
123 fi
124 eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
125 if [ $? -ne 0 ] ; then
126 echo "Error: site key generation failed"
127 exit 1
128 else chmod 640 "$SITE_KEY"
129 fi
130fi
131
132##-------------------------------------------------------
133## Local key file.
134##-------------------------------------------------------
135
136# If clobber is true, and prompting is off (unattended operation)
137# and the key file already exists, remove it. Otherwise twadmin
138# will prompt with an "are you sure?" message.
139
140if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
141 rm -f "$LOCAL_KEY"
142fi
143
144if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
145 echo "The site key file \"$LOCAL_KEY\""
146 echo 'exists and will not be overwritten.'
147else
148 cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
149 if [ -n "$TW_LOCAL_PASS" ] ; then
150 cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
151 fi
152 eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
153 if [ $? -ne 0 ] ; then
154 echo "Error: local key generation failed"
155 exit 1
156 else chmod 640 "$LOCAL_KEY"
157 fi
158fi
159
160##=======================================================
161## Sign the Configuration File
162##=======================================================
163
164echo
165echo "----------------------------------------------"
166echo "Signing configuration file..."
167
168##-------------------------------------------------------
169## If noclobber, then backup any existing config file.
170##-------------------------------------------------------
171
172if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
173 backup="${CONFIG_FILE}.$$.bak"
174 echo "Backing up $CONFIG_FILE"
175 echo " to $backup"
176 `mv "$CONFIG_FILE" "$backup"`
177 if [ $? -ne 0 ] ; then
178 echo "Error: backup of configuration file failed."
179 exit 1
180 fi
181fi
182
183##-------------------------------------------------------
184## Build command line.
185##-------------------------------------------------------
186
187cmdargs="--create-cfgfile"
188cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
189cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
190if [ -n "$TW_SITE_PASS" ] ; then
191 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
192fi
193
194##-------------------------------------------------------
195## Sign the file.
196##-------------------------------------------------------
197
198eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
199if [ $? -ne 0 ] ; then
200 echo "Error: signing of configuration file failed."
201 exit 1
202fi
203
204# Set the rights properly
205chmod 640 "$CONFIG_FILE"
206
207##-------------------------------------------------------
208## We keep the cleartext version around.
209##-------------------------------------------------------
210
211cat << END_OF_TEXT
212
213A clear-text version of the Tripwire configuration file
214$TXT_CFG
215has been preserved for your inspection. It is recommended
216that you delete this file manually after you have examined it.
217
218END_OF_TEXT
219
220##=======================================================
221## Sign tripwire policy file.
222##=======================================================
223
224echo
225echo "----------------------------------------------"
226echo "Signing policy file..."
227
228##-------------------------------------------------------
229## If noclobber, then backup any existing policy file.
230##-------------------------------------------------------
231
232if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
233 backup="${POLICY_FILE}.$$.bak"
234 echo "Backing up $POLICY_FILE"
235 echo " to $backup"
236 mv "$POLICY_FILE" "$backup"
237 if [ $? -ne 0 ] ; then
238 echo "Error: backup of policy file failed."
239 exit 1
240 fi
241fi
242
243##-------------------------------------------------------
244## Build command line.
245##-------------------------------------------------------
246
247cmdargs="--create-polfile"
248cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
249cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
250if [ -n "$TW_SITE_PASS" ] ; then
251 cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
252fi
253
254##-------------------------------------------------------
255## Sign the file.
256##-------------------------------------------------------
257
258eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
259if [ $? -ne 0 ] ; then
260 echo "Error: signing of policy file failed."
261 exit 1
262fi
263
264# Set the proper rights on the newly signed policy file.
265chmod 0640 "$SIGNED_POL"
266
267##-------------------------------------------------------
268## We keep the cleartext version around.
269##-------------------------------------------------------
270
271cat << END_OF_TEXT
272
273A clear-text version of the Tripwire policy file
274$TXT_POL
275has been preserved for your inspection. This implements
276a minimal policy, intended only to test essential
277Tripwire functionality. You should edit the policy file
278to describe your system, and then use twadmin to generate
279a new signed copy of the Tripwire policy.
280
281END_OF_TEXT
282
283# Initialize tripwire database
284/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \
285--local-passphrase $TW_LOCAL_PASS 2> /dev/null
286
287########################################################################
288########################################################################
289#
290# TRIPWIRE GPL NOTICES
291#
292# The developer of the original code and/or files is Tripwire, Inc.
293# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
294# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
295#
296# This program is free software. The contents of this file are subject to
297# the terms of the GNU General Public License as published by the Free
298# Software Foundation; either version 2 of the License, or (at your option)
299# any later version. You may redistribute it and/or modify it only in
300# compliance with the GNU General Public License.
301#
302# This program is distributed in the hope that it will be useful. However,
303# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
304# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
305# Please see the GNU General Public License for more details.
306#
307# You should have received a copy of the GNU General Public License along
308# with this program; if not, write to the Free Software Foundation, Inc.,
309# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
310#
311# Nothing in the GNU General Public License or any other license to use the
312# code or files shall permit you to use Tripwire's trademarks,
313# service marks, or other intellectual property without Tripwire's
314# prior written consent.
315#
316# If you have any questions, please contact Tripwire, Inc. at either
317# info@tripwire.org or www.tripwire.org.
318#
319########################################################################
320########################################################################
diff --git a/recipes-security/tripwire/files/twpol-yocto.txt b/recipes-security/tripwire/files/twpol-yocto.txt
new file mode 100644
index 0000000..65f5f75
--- /dev/null
+++ b/recipes-security/tripwire/files/twpol-yocto.txt
@@ -0,0 +1,1107 @@
1 ##############################################################################
2 # ##
3############################################################################## #
4# # #
5# Generic Policy file # #
6# V1.2.0rh # #
7# August 9, 2001 # #
8# ##
9##############################################################################
10
11
12 ##############################################################################
13 # ##
14############################################################################## #
15# # #
16# This is the example Tripwire Policy file. It is intended as a place to # #
17# start creating your own custom Tripwire Policy file. Referring to it as # #
18# well as the Tripwire Policy Guide should give you enough information to # #
19# make a good custom Tripwire Policy file that better covers your # #
20# configuration and security needs. A text version of this policy file is # #
21# called twpol.txt. # #
22# # #
23# Note that this file is tuned to an 'everything' install of Red Hat Linux. # #
24# If run unmodified, this file should create no errors on database # #
25# creation, or violations on a subsiquent integrity check. However, it is # #
26# impossible for there to be one policy file for all machines, so this # #
27# existing one errs on the side of security. Your Linux configuration will # #
28# most likey differ from the one our policy file was tuned to, and will # #
29# therefore require some editing of the default Tripwire Policy file. # #
30# # #
31# The example policy file is best run with 'Loose Directory Checking' # #
32# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # #
33# file. # #
34# # #
35# Email support is not included and must be added to this file. # #
36# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
37# after the 'severity=' line and add an 'emailto=' and include the email # #
38# addresses you want the violation reports to go to). Addresses are # #
39# semi-colon delimited. # #
40# ##
41##############################################################################
42
43
44
45 ##############################################################################
46 # ##
47############################################################################## #
48# # #
49# Global Variable Definitions # #
50# # #
51# These are defined at install time by the installation script. You may # #
52# Manually edit these if you are using this file directly and not from the # #
53# installation script itself. # #
54# ##
55##############################################################################
56
57@@section GLOBAL
58TWROOT=/usr/sbin;
59TWBIN=/usr/sbin;
60TWPOL="/etc/tripwire";
61TWDB="/var/lib/tripwire";
62TWSKEY="/etc/tripwire";
63TWLKEY="/etc/tripwire";
64TWREPORT="/var/lib/tripwire/report";
65HOSTNAME=localhost;
66
67@@section FS
68SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
69SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
70SEC_BIN = $(ReadOnly) ; # Binaries that should not change
71SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
72SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
73SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
74SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
75SIG_MED = 66 ; # Non-critical files that are of significant security impact
76SIG_HI = 100 ; # Critical files that are significant points of vulnerability
77
78
79# Tripwire Binaries
80(
81 rulename = "Tripwire Binaries",
82 severity = $(SIG_HI)
83)
84{
85 $(TWBIN)/siggen -> $(SEC_BIN) ;
86 $(TWBIN)/tripwire -> $(SEC_BIN) ;
87 $(TWBIN)/twadmin -> $(SEC_BIN) ;
88 $(TWBIN)/twprint -> $(SEC_BIN) ;
89}
90
91# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
92(
93 rulename = "Tripwire Data Files",
94 severity = $(SIG_HI)
95)
96{
97 # NOTE: We remove the inode attribute because when Tripwire creates a backup,
98 # it does so by renaming the old file and creating a new one (which will
99 # have a new inode number). Inode is left turned on for keys, which shouldn't
100 # ever change.
101
102 # NOTE: The first integrity check triggers this rule and each integrity check
103 # afterward triggers this rule until a database update is run, since the
104 # database file does not exist before that point.
105
106 $(TWDB) -> $(SEC_CONFIG) -i ;
107 $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
108 $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
109 $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
110 $(TWSKEY)/site.key -> $(SEC_BIN) ;
111
112 #don't scan the individual reports
113 $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
114}
115
116
117# Tripwire HQ Connector Binaries
118#(
119# rulename = "Tripwire HQ Connector Binaries",
120# severity = $(SIG_HI)
121#)
122#{
123# $(TWBIN)/hqagent -> $(SEC_BIN) ;
124#}
125#
126# Tripwire HQ Connector - Configuration Files, Keys, and Logs
127
128 ##############################################################################
129 # ##
130############################################################################## #
131# # #
132# Note: File locations here are different than in a stock HQ Connector # #
133# installation. This is because Tripwire 2.3 uses a different path # #
134# structure than Tripwire 2.2.1. # #
135# # #
136# You may need to update your HQ Agent configuation file (or this policy # #
137# file) to correct the paths. We have attempted to support the FHS standard # #
138# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
139# places them. # #
140# ##
141##############################################################################
142
143#(
144# rulename = "Tripwire HQ Connector Data Files",
145# severity = $(SIG_HI)
146#)
147#{
148# #############################################################################
149# ##############################################################################
150# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
151# # it does so by renaming the old file and creating a new one (which will ##
152# # have a new inode number). Leaving inode turned on for keys, which ##
153# # shouldn't ever change. ##
154# #############################################################################
155#
156# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
157# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
158# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
159# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
160#
161# # Uncomment if you have agent logging enabled.
162# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
163#}
164
165
166
167# Commonly accessed directories that should remain static with regards to owner and group
168(
169 rulename = "Invariant Directories",
170 severity = $(SIG_MED)
171)
172{
173 / -> $(SEC_INVARIANT) (recurse = 0) ;
174 /home -> $(SEC_INVARIANT) (recurse = 0) ;
175 /etc -> $(SEC_INVARIANT) (recurse = 0) ;
176}
177 ################################################
178 # ##
179################################################ #
180# # #
181# File System and Disk Administration Programs # #
182# ##
183################################################
184
185(
186 rulename = "File System and Disk Administraton Programs",
187 severity = $(SIG_HI)
188)
189{
190 /sbin/accton -> $(SEC_CRIT) ;
191 /sbin/badblocks -> $(SEC_CRIT) ;
192 /sbin/busybox -> $(SEC_CRIT) ;
193 /sbin/busybox.anaconda -> $(SEC_CRIT) ;
194 /sbin/convertquota -> $(SEC_CRIT) ;
195 /sbin/dosfsck -> $(SEC_CRIT) ;
196 /sbin/debugfs -> $(SEC_CRIT) ;
197 /sbin/debugreiserfs -> $(SEC_CRIT) ;
198 /sbin/dumpe2fs -> $(SEC_CRIT) ;
199 /sbin/dump -> $(SEC_CRIT) ;
200 /sbin/dump.static -> $(SEC_CRIT) ;
201 # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs?
202 /sbin/e2fsck -> $(SEC_CRIT) ;
203 /sbin/e2label -> $(SEC_CRIT) ;
204 /sbin/fdisk -> $(SEC_CRIT) ;
205 /sbin/fsck -> $(SEC_CRIT) ;
206 /sbin/fsck.ext2 -> $(SEC_CRIT) ;
207 /sbin/fsck.ext3 -> $(SEC_CRIT) ;
208 /sbin/fsck.minix -> $(SEC_CRIT) ;
209 /sbin/fsck.msdos -> $(SEC_CRIT) ;
210 /sbin/fsck.vfat -> $(SEC_CRIT) ;
211 /sbin/ftl_check -> $(SEC_CRIT) ;
212 /sbin/ftl_format -> $(SEC_CRIT) ;
213 /sbin/hdparm -> $(SEC_CRIT) ;
214 #/sbin/lvchange -> $(SEC_CRIT) ;
215 #/sbin/lvcreate -> $(SEC_CRIT) ;
216 #/sbin/lvdisplay -> $(SEC_CRIT) ;
217 #/sbin/lvextend -> $(SEC_CRIT) ;
218 #/sbin/lvmchange -> $(SEC_CRIT) ;
219 #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ;
220 #/sbin/lvmdiskscan -> $(SEC_CRIT) ;
221 #/sbin/lvmsadc -> $(SEC_CRIT) ;
222 #/sbin/lvmsar -> $(SEC_CRIT) ;
223 #/sbin/lvreduce -> $(SEC_CRIT) ;
224 #/sbin/lvremove -> $(SEC_CRIT) ;
225 #/sbin/lvrename -> $(SEC_CRIT) ;
226 #/sbin/lvscan -> $(SEC_CRIT) ;
227 /sbin/mkbootdisk -> $(SEC_CRIT) ;
228 /sbin/mkdosfs -> $(SEC_CRIT) ;
229 /sbin/mke2fs -> $(SEC_CRIT) ;
230 /sbin/mkfs -> $(SEC_CRIT) ;
231 /sbin/mkfs.bfs -> $(SEC_CRIT) ;
232 /sbin/mkfs.ext2 -> $(SEC_CRIT) ;
233 /sbin/mkfs.minix -> $(SEC_CRIT) ;
234 /sbin/mkfs.msdos -> $(SEC_CRIT) ;
235 /sbin/mkfs.vfat -> $(SEC_CRIT) ;
236 /sbin/mkinitrd -> $(SEC_CRIT) ;
237 #/sbin/mkpv -> $(SEC_CRIT) ;
238 /sbin/mkraid -> $(SEC_CRIT) ;
239 /sbin/mkreiserfs -> $(SEC_CRIT) ;
240 /sbin/mkswap -> $(SEC_CRIT) ;
241 #/sbin/mtx -> $(SEC_CRIT) ;
242 /sbin/pam_console_apply -> $(SEC_CRIT) ;
243 /sbin/parted -> $(SEC_CRIT) ;
244 /sbin/pcinitrd -> $(SEC_CRIT) ;
245 #/sbin/pvchange -> $(SEC_CRIT) ;
246 #/sbin/pvcreate -> $(SEC_CRIT) ;
247 #/sbin/pvdata -> $(SEC_CRIT) ;
248 #/sbin/pvdisplay -> $(SEC_CRIT) ;
249 #/sbin/pvmove -> $(SEC_CRIT) ;
250 #/sbin/pvscan -> $(SEC_CRIT) ;
251 /sbin/quotacheck -> $(SEC_CRIT) ;
252 /sbin/quotaon -> $(SEC_CRIT) ;
253 /sbin/raidstart -> $(SEC_CRIT) ;
254 /sbin/reiserfsck -> $(SEC_CRIT) ;
255 /sbin/resize2fs -> $(SEC_CRIT) ;
256 /sbin/resize_reiserfs -> $(SEC_CRIT) ;
257 /sbin/restore -> $(SEC_CRIT) ;
258 /sbin/restore.static -> $(SEC_CRIT) ;
259 /sbin/scsi_info -> $(SEC_CRIT) ;
260 /sbin/sfdisk -> $(SEC_CRIT) ;
261 /sbin/stinit -> $(SEC_CRIT) ;
262 #/sbin/tapeinfo -> $(SEC_CRIT) ;
263 /sbin/tune2fs -> $(SEC_CRIT) ;
264 /sbin/unpack -> $(SEC_CRIT) ;
265 /sbin/update -> $(SEC_CRIT) ;
266 #/sbin/vgcfgbackup -> $(SEC_CRIT) ;
267 #/sbin/vgcfgrestore -> $(SEC_CRIT) ;
268 #/sbin/vgchange -> $(SEC_CRIT) ;
269 #/sbin/vgck -> $(SEC_CRIT) ;
270 #/sbin/vgcreate -> $(SEC_CRIT) ;
271 #/sbin/vgdisplay -> $(SEC_CRIT) ;
272 #/sbin/vgexport -> $(SEC_CRIT) ;
273 #/sbin/vgextend -> $(SEC_CRIT) ;
274 #/sbin/vgimport -> $(SEC_CRIT) ;
275 #/sbin/vgmerge -> $(SEC_CRIT) ;
276 #/sbin/vgmknodes -> $(SEC_CRIT) ;
277 #/sbin/vgreduce -> $(SEC_CRIT) ;
278 #/sbin/vgremove -> $(SEC_CRIT) ;
279 #/sbin/vgrename -> $(SEC_CRIT) ;
280 #/sbin/vgscan -> $(SEC_CRIT) ;
281 #/sbin/vgsplit -> $(SEC_CRIT) ;
282 /bin/chgrp -> $(SEC_CRIT) ;
283 /bin/chmod -> $(SEC_CRIT) ;
284 /bin/chown -> $(SEC_CRIT) ;
285 /bin/cp -> $(SEC_CRIT) ;
286 /bin/cpio -> $(SEC_CRIT) ;
287 /bin/mount -> $(SEC_CRIT) ;
288 /bin/umount -> $(SEC_CRIT) ;
289 /bin/mkdir -> $(SEC_CRIT) ;
290 /bin/mknod -> $(SEC_CRIT) ;
291 /bin/mktemp -> $(SEC_CRIT) ;
292 /bin/rm -> $(SEC_CRIT) ;
293 /bin/rmdir -> $(SEC_CRIT) ;
294 /bin/touch -> $(SEC_CRIT) ;
295}
296
297 ##################################
298 # ##
299################################## #
300# # #
301# Kernel Administration Programs # #
302# ##
303##################################
304
305(
306 rulename = "Kernel Administration Programs",
307 severity = $(SIG_HI)
308)
309{
310 /sbin/adjtimex -> $(SEC_CRIT) ;
311 /sbin/ctrlaltdel -> $(SEC_CRIT) ;
312 /sbin/depmod -> $(SEC_CRIT) ;
313 /sbin/insmod -> $(SEC_CRIT) ;
314 /sbin/insmod.static -> $(SEC_CRIT) ;
315 /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
316 /sbin/klogd -> $(SEC_CRIT) ;
317 /sbin/ldconfig -> $(SEC_CRIT) ;
318 /sbin/minilogd -> $(SEC_CRIT) ;
319 /sbin/modinfo -> $(SEC_CRIT) ;
320 #/sbin/nuactlun -> $(SEC_CRIT) ;
321 #/sbin/nuscsitcpd -> $(SEC_CRIT) ;
322 /sbin/pivot_root -> $(SEC_CRIT) ;
323 /sbin/sndconfig -> $(SEC_CRIT) ;
324 /sbin/sysctl -> $(SEC_CRIT) ;
325}
326
327 #######################
328 # ##
329####################### #
330# # #
331# Networking Programs # #
332# ##
333#######################
334
335(
336 rulename = "Networking Programs",
337 severity = $(SIG_HI)
338)
339{
340 /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
341 /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
342 /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ;
343 /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
344 /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ;
345 /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ;
346 /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ;
347 /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ;
348 /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ;
349 /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ;
350 /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ;
351 /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ;
352 /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ;
353 /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ;
354 /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ;
355 /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ;
356 /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ;
357 /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ;
358 /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ;
359 /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ;
360 /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ;
361 /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ;
362 /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ;
363 /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ;
364 /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ;
365 /bin/ping -> $(SEC_CRIT) ;
366 /sbin/agetty -> $(SEC_CRIT) ;
367 /sbin/arp -> $(SEC_CRIT) ;
368 /sbin/arping -> $(SEC_CRIT) ;
369 /sbin/dhcpcd -> $(SEC_CRIT) ;
370 /sbin/ether-wake -> $(SEC_CRIT) ;
371 #/sbin/getty -> $(SEC_CRIT) ;
372 /sbin/ifcfg -> $(SEC_CRIT) ;
373 /sbin/ifconfig -> $(SEC_CRIT) ;
374 /sbin/ifdown -> $(SEC_CRIT) ;
375 /sbin/ifenslave -> $(SEC_CRIT) ;
376 /sbin/ifport -> $(SEC_CRIT) ;
377 /sbin/ifup -> $(SEC_CRIT) ;
378 /sbin/ifuser -> $(SEC_CRIT) ;
379 /sbin/ip -> $(SEC_CRIT) ;
380 /sbin/ip6tables -> $(SEC_CRIT) ;
381 /sbin/ipchains -> $(SEC_CRIT) ;
382 /sbin/ipchains-restore -> $(SEC_CRIT) ;
383 /sbin/ipchains-save -> $(SEC_CRIT) ;
384 /sbin/ipfwadm -> $(SEC_CRIT) ;
385 /sbin/ipmaddr -> $(SEC_CRIT) ;
386 /sbin/iptables -> $(SEC_CRIT) ;
387 /sbin/iptables-restore -> $(SEC_CRIT) ;
388 /sbin/iptables-save -> $(SEC_CRIT) ;
389 /sbin/iptunnel -> $(SEC_CRIT) ;
390 #/sbin/ipvsadm -> $(SEC_CRIT) ;
391 #/sbin/ipvsadm-restore -> $(SEC_CRIT) ;
392 #/sbin/ipvsadm-save -> $(SEC_CRIT) ;
393 /sbin/ipx_configure -> $(SEC_CRIT) ;
394 /sbin/ipx_interface -> $(SEC_CRIT) ;
395 /sbin/ipx_internal_net -> $(SEC_CRIT) ;
396 /sbin/iwconfig -> $(SEC_CRIT) ;
397 /sbin/iwgetid -> $(SEC_CRIT) ;
398 /sbin/iwlist -> $(SEC_CRIT) ;
399 /sbin/iwpriv -> $(SEC_CRIT) ;
400 /sbin/iwspy -> $(SEC_CRIT) ;
401 /sbin/mgetty -> $(SEC_CRIT) ;
402 /sbin/mingetty -> $(SEC_CRIT) ;
403 /sbin/nameif -> $(SEC_CRIT) ;
404 /sbin/netreport -> $(SEC_CRIT) ;
405 /sbin/plipconfig -> $(SEC_CRIT) ;
406 /sbin/portmap -> $(SEC_CRIT) ;
407 /sbin/ppp-watch -> $(SEC_CRIT) ;
408 #/sbin/rarp -> $(SEC_CRIT) ;
409 /sbin/route -> $(SEC_CRIT) ;
410 /sbin/slattach -> $(SEC_CRIT) ;
411 /sbin/tc -> $(SEC_CRIT) ;
412 #/sbin/uugetty -> $(SEC_CRIT) ;
413 /sbin/vgetty -> $(SEC_CRIT) ;
414 /sbin/ypbind -> $(SEC_CRIT) ;
415}
416
417 ##################################
418 # ##
419################################## #
420# # #
421# System Administration Programs # #
422# ##
423##################################
424
425(
426 rulename = "System Administration Programs",
427 severity = $(SIG_HI)
428)
429{
430 /sbin/chkconfig -> $(SEC_CRIT) ;
431 /sbin/fuser -> $(SEC_CRIT) ;
432 /sbin/halt -> $(SEC_CRIT) ;
433 /sbin/init -> $(SEC_CRIT) ;
434 /sbin/initlog -> $(SEC_CRIT) ;
435 /sbin/install-info -> $(SEC_CRIT) ;
436 /sbin/killall5 -> $(SEC_CRIT) ;
437 #/sbin/linuxconf -> $(SEC_CRIT) ;
438 #/sbin/linuxconf-auth -> $(SEC_CRIT) ;
439 /sbin/pam_tally -> $(SEC_CRIT) ;
440 /sbin/pwdb_chkpwd -> $(SEC_CRIT) ;
441 #/sbin/remadmin -> $(SEC_CRIT) ;
442 /sbin/rescuept -> $(SEC_CRIT) ;
443 /sbin/rmt -> $(SEC_CRIT) ;
444 /sbin/rpc.lockd -> $(SEC_CRIT) ;
445 /sbin/rpc.statd -> $(SEC_CRIT) ;
446 /sbin/rpcdebug -> $(SEC_CRIT) ;
447 /sbin/service -> $(SEC_CRIT) ;
448 /sbin/setsysfont -> $(SEC_CRIT) ;
449 /sbin/shutdown -> $(SEC_CRIT) ;
450 /sbin/sulogin -> $(SEC_CRIT) ;
451 /sbin/swapon -> $(SEC_CRIT) ;
452 /sbin/syslogd -> $(SEC_CRIT) ;
453 /sbin/unix_chkpwd -> $(SEC_CRIT) ;
454 /bin/pwd -> $(SEC_CRIT) ;
455 /bin/uname -> $(SEC_CRIT) ;
456}
457
458 ########################################
459 # ##
460######################################## #
461# # #
462# Hardware and Device Control Programs # #
463# ##
464########################################
465(
466 rulename = "Hardware and Device Control Programs",
467 severity = $(SIG_HI)
468)
469{
470 /bin/setserial -> $(SEC_CRIT) ;
471 /bin/sfxload -> $(SEC_CRIT) ;
472 /sbin/blockdev -> $(SEC_CRIT) ;
473 /sbin/cardctl -> $(SEC_CRIT) ;
474 /sbin/cardmgr -> $(SEC_CRIT) ;
475 /sbin/cbq -> $(SEC_CRIT) ;
476 /sbin/dump_cis -> $(SEC_CRIT) ;
477 /sbin/elvtune -> $(SEC_CRIT) ;
478 /sbin/hotplug -> $(SEC_CRIT) ;
479 /sbin/hwclock -> $(SEC_CRIT) ;
480 /sbin/ide_info -> $(SEC_CRIT) ;
481 #/sbin/isapnp -> $(SEC_CRIT) ;
482 /sbin/kbdrate -> $(SEC_CRIT) ;
483 /sbin/losetup -> $(SEC_CRIT) ;
484 /sbin/lspci -> $(SEC_CRIT) ;
485 /sbin/lspnp -> $(SEC_CRIT) ;
486 /sbin/mii-tool -> $(SEC_CRIT) ;
487 /sbin/pack_cis -> $(SEC_CRIT) ;
488 #/sbin/pnpdump -> $(SEC_CRIT) ;
489 /sbin/probe -> $(SEC_CRIT) ;
490 /sbin/pump -> $(SEC_CRIT) ;
491 /sbin/setpci -> $(SEC_CRIT) ;
492 /sbin/shapecfg -> $(SEC_CRIT) ;
493}
494
495 ###############################
496 # ##
497############################### #
498# # #
499# System Information Programs # #
500# ##
501###############################
502(
503 rulename = "System Information Programs",
504 severity = $(SIG_HI)
505)
506{
507 /sbin/consoletype -> $(SEC_CRIT) ;
508 /sbin/kernelversion -> $(SEC_CRIT) ;
509 /sbin/runlevel -> $(SEC_CRIT) ;
510}
511
512 ####################################
513 # ##
514#################################### #
515# # #
516# Application Information Programs # #
517# ##
518####################################
519
520(
521 rulename = "Application Information Programs",
522 severity = $(SIG_HI)
523)
524{
525 /sbin/genksyms -> $(SEC_CRIT) ;
526 #/sbin/genksyms.old -> $(SEC_CRIT) ;
527 /sbin/rtmon -> $(SEC_CRIT) ;
528}
529
530 ##########################
531 # ##
532########################## #
533# # #
534# Shell Related Programs # #
535# ##
536##########################
537(
538 rulename = "Shell Related Programs",
539 severity = $(SIG_HI)
540)
541{
542 /sbin/getkey -> $(SEC_CRIT) ;
543 /sbin/nash -> $(SEC_CRIT) ;
544 /sbin/sash -> $(SEC_CRIT) ;
545}
546
547
548 ################
549 # ##
550################ #
551# # #
552# OS Utilities # #
553# ##
554################
555(
556 rulename = "Operating System Utilities",
557 severity = $(SIG_HI)
558)
559{
560 /bin/arch -> $(SEC_CRIT) ;
561 /bin/ash -> $(SEC_CRIT) ;
562 /bin/ash.static -> $(SEC_CRIT) ;
563 /bin/aumix-minimal -> $(SEC_CRIT) ;
564 /bin/basename -> $(SEC_CRIT) ;
565 /bin/cat -> $(SEC_CRIT) ;
566 /bin/consolechars -> $(SEC_CRIT) ;
567 /bin/cut -> $(SEC_CRIT) ;
568 /bin/date -> $(SEC_CRIT) ;
569 /bin/dd -> $(SEC_CRIT) ;
570 /bin/df -> $(SEC_CRIT) ;
571 /bin/dmesg -> $(SEC_CRIT) ;
572 /bin/doexec -> $(SEC_CRIT) ;
573 /bin/echo -> $(SEC_CRIT) ;
574 /bin/ed -> $(SEC_CRIT) ;
575 /bin/egrep -> $(SEC_CRIT) ;
576 /bin/false -> $(SEC_CRIT) ;
577 /bin/fgrep -> $(SEC_CRIT) ;
578 /bin/gawk -> $(SEC_CRIT) ;
579 /bin/gawk-3.1.0 -> $(SEC_CRIT) ;
580 /bin/gettext -> $(SEC_CRIT) ;
581 /bin/grep -> $(SEC_CRIT) ;
582 /bin/gunzip -> $(SEC_CRIT) ;
583 /bin/gzip -> $(SEC_CRIT) ;
584 /bin/hostname -> $(SEC_CRIT) ;
585 /bin/igawk -> $(SEC_CRIT) ;
586 /bin/ipcalc -> $(SEC_CRIT) ;
587 /bin/kill -> $(SEC_CRIT) ;
588 /bin/ln -> $(SEC_CRIT) ;
589 /bin/loadkeys -> $(SEC_CRIT) ;
590 /bin/login -> $(SEC_CRIT) ;
591 /bin/ls -> $(SEC_CRIT) ;
592 /bin/mail -> $(SEC_CRIT) ;
593 /bin/more -> $(SEC_CRIT) ;
594 /bin/mt -> $(SEC_CRIT) ;
595 /bin/mv -> $(SEC_CRIT) ;
596 /bin/netstat -> $(SEC_CRIT) ;
597 /bin/nice -> $(SEC_CRIT) ;
598 /bin/pgawk -> $(SEC_CRIT) ;
599 /bin/ps -> $(SEC_CRIT) ;
600 /bin/rpm -> $(SEC_CRIT) ;
601 /bin/sed -> $(SEC_CRIT) ;
602 /bin/sleep -> $(SEC_CRIT) ;
603 /bin/sort -> $(SEC_CRIT) ;
604 /bin/stty -> $(SEC_CRIT) ;
605 /bin/su -> $(SEC_CRIT) ;
606 /bin/sync -> $(SEC_CRIT) ;
607 /bin/tar -> $(SEC_CRIT) ;
608 /bin/true -> $(SEC_CRIT) ;
609 /bin/usleep -> $(SEC_CRIT) ;
610 /bin/vi -> $(SEC_CRIT) ;
611 /bin/zcat -> $(SEC_CRIT) ;
612 /bin/zsh -> $(SEC_CRIT) ;
613 #/bin/zsh-4.0.2 -> $(SEC_CRIT) ;
614 /sbin/sln -> $(SEC_CRIT) ;
615 /usr/bin/vimtutor -> $(SEC_CRIT) ;
616}
617
618 ##############################
619 # ##
620############################## #
621# # #
622# Critical Utility Sym-Links # #
623# ##
624##############################
625(
626 rulename = "Critical Utility Sym-Links",
627 severity = $(SIG_HI)
628)
629{
630 #/sbin/askrunlevel -> $(SEC_CRIT) ;
631 /sbin/clock -> $(SEC_CRIT) ;
632 #/sbin/fixperm -> $(SEC_CRIT) ;
633 /sbin/fsck.reiserfs -> $(SEC_CRIT) ;
634 #/sbin/fsconf -> $(SEC_CRIT) ;
635 /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
636 /sbin/kallsyms -> $(SEC_CRIT) ;
637 /sbin/ksyms -> $(SEC_CRIT) ;
638 /sbin/lsmod -> $(SEC_CRIT) ;
639 #/sbin/mailconf -> $(SEC_CRIT) ;
640 /sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
641 #/sbin/modemconf -> $(SEC_CRIT) ;
642 /sbin/modprobe -> $(SEC_CRIT) ;
643 /sbin/mount.ncp -> $(SEC_CRIT) ;
644 /sbin/mount.ncpfs -> $(SEC_CRIT) ;
645 /sbin/mount.smb -> $(SEC_CRIT) ;
646 /sbin/mount.smbfs -> $(SEC_CRIT) ;
647 #/sbin/netconf -> $(SEC_CRIT) ;
648 /sbin/pidof -> $(SEC_CRIT) ;
649 /sbin/poweroff -> $(SEC_CRIT) ;
650 /sbin/quotaoff -> $(SEC_CRIT) ;
651 /sbin/raid0run -> $(SEC_CRIT) ;
652 /sbin/raidhotadd -> $(SEC_CRIT) ;
653 /sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
654 /sbin/raidhotremove -> $(SEC_CRIT) ;
655 /sbin/raidstop -> $(SEC_CRIT) ;
656 /sbin/rdump -> $(SEC_CRIT) ;
657 /sbin/rdump.static -> $(SEC_CRIT) ;
658 /sbin/reboot -> $(SEC_CRIT) ;
659 /sbin/rmmod -> $(SEC_CRIT) ;
660 /sbin/rrestore -> $(SEC_CRIT) ;
661 /sbin/rrestore.static -> $(SEC_CRIT) ;
662 /sbin/swapoff -> $(SEC_CRIT) ;
663 /sbin/telinit -> $(SEC_CRIT) ;
664 #/sbin/userconf -> $(SEC_CRIT) ;
665 #/sbin/uucpconf -> $(SEC_CRIT) ;
666 #/sbin/vregistry -> $(SEC_CRIT) ;
667 /bin/awk -> $(SEC_CRIT) ;
668 /bin/bash2 -> $(SEC_CRIT) ;
669 /bin/bsh -> $(SEC_CRIT) ;
670 /bin/csh -> $(SEC_CRIT) ;
671 /bin/dnsdomainname -> $(SEC_CRIT) ;
672 /bin/domainname -> $(SEC_CRIT) ;
673 /bin/ex -> $(SEC_CRIT) ;
674 /bin/gtar -> $(SEC_CRIT) ;
675 /bin/nisdomainname -> $(SEC_CRIT) ;
676 /bin/red -> $(SEC_CRIT) ;
677 /bin/rvi -> $(SEC_CRIT) ;
678 /bin/rview -> $(SEC_CRIT) ;
679 /bin/view -> $(SEC_CRIT) ;
680 /bin/ypdomainname -> $(SEC_CRIT) ;
681}
682
683
684 #########################
685 # ##
686######################### #
687# # #
688# Temporary directories # #
689# ##
690#########################
691(
692 rulename = "Temporary directories",
693 recurse = false,
694 severity = $(SIG_LOW)
695)
696{
697 /usr/tmp -> $(SEC_INVARIANT) ;
698 /var/tmp -> $(SEC_INVARIANT) ;
699 /tmp -> $(SEC_INVARIANT) ;
700}
701
702 ###############
703 # ##
704############### #
705# # #
706# Local files # #
707# ##
708###############
709(
710 rulename = "User binaries",
711 severity = $(SIG_MED)
712)
713{
714 /sbin -> $(SEC_BIN) (recurse = 1) ;
715 /usr/bin -> $(SEC_BIN) (recurse = 1) ;
716 /usr/sbin -> $(SEC_BIN) (recurse = 1) ;
717 /usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
718}
719
720(
721 rulename = "Shell Binaries",
722 severity = $(SIG_HI)
723)
724{
725 /bin/bash -> $(SEC_BIN) ;
726 /bin/ksh -> $(SEC_BIN) ;
727 # /bin/psh -> $(SEC_BIN) ; # No longer used?
728 # /bin/Rsh -> $(SEC_BIN) ; # No longer used?
729 /bin/sh -> $(SEC_BIN) ;
730 # /bin/shell -> $(SEC_SUID) ; # No longer used?
731 # /bin/tsh -> $(SEC_BIN) ; # No longer used?
732 /bin/tcsh -> $(SEC_BIN) ;
733 /sbin/nologin -> $(SEC_BIN) ;
734}
735
736(
737 rulename = "Security Control",
738 severity = $(SIG_HI)
739)
740{
741 /etc/group -> $(SEC_CRIT) ;
742 /etc/security -> $(SEC_CRIT) ;
743 #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
744}
745
746#(
747# rulename = "Boot Scripts",
748# severity = $(SIG_HI)
749#)
750#{
751# /etc/rc -> $(SEC_CONFIG) ;
752# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
753# /etc/rc.dt -> $(SEC_CONFIG) ;
754# /etc/rc.net -> $(SEC_CONFIG) ;
755# /etc/rc.net.serial -> $(SEC_CONFIG) ;
756# /etc/rc.nfs -> $(SEC_CONFIG) ;
757# /etc/rc.powerfail -> $(SEC_CONFIG) ;
758# /etc/rc.tcpip -> $(SEC_CONFIG) ;
759# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
760#}
761
762(
763 rulename = "Login Scripts",
764 severity = $(SIG_HI)
765)
766{
767 /etc/bashrc -> $(SEC_CONFIG) ;
768 /etc/csh.cshrc -> $(SEC_CONFIG) ;
769 /etc/csh.login -> $(SEC_CONFIG) ;
770 /etc/inputrc -> $(SEC_CONFIG) ;
771 # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
772 /etc/profile -> $(SEC_CONFIG) ;
773}
774
775# Libraries
776(
777 rulename = "Libraries",
778 severity = $(SIG_MED)
779)
780{
781 /usr/lib -> $(SEC_BIN) ;
782 /usr/local/lib -> $(SEC_BIN) ;
783}
784
785
786 ######################################################
787 # ##
788###################################################### #
789# # #
790# Critical System Boot Files # #
791# These files are critical to a correct system boot. # #
792# ##
793######################################################
794
795(
796 rulename = "Critical system boot files",
797 severity = $(SIG_HI)
798)
799{
800 /boot -> $(SEC_CRIT) ;
801 #/sbin/devfsd -> $(SEC_CRIT) ;
802 /sbin/grub -> $(SEC_CRIT) ;
803 /sbin/grub-install -> $(SEC_CRIT) ;
804 /sbin/grub-md5-crypt -> $(SEC_CRIT) ;
805 /sbin/installkernel -> $(SEC_CRIT) ;
806 /sbin/lilo -> $(SEC_CRIT) ;
807 /sbin/mkkerneldoth -> $(SEC_CRIT) ;
808 !/boot/System.map ;
809 !/boot/module-info ;
810 /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ;
811 /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ;
812 /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ;
813 /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ;
814 /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ;
815 /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ;
816 /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ;
817 /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ;
818 # other boot files may exist. Look for:
819 #/ufsboot -> $(SEC_CRIT) ;
820}
821 ##################################################
822 ###################################################
823 # These files change every time the system boots ##
824 ##################################################
825(
826 rulename = "System boot changes",
827 severity = $(SIG_HI)
828)
829{
830 !/var/run/ftp.pids-all ; # Comes and goes on reboot.
831 !/root/.enlightenment ;
832 /dev/log -> $(SEC_CONFIG) ;
833 /dev/cua0 -> $(SEC_CONFIG) ;
834 # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
835 /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
836 /dev/tty1 -> $(SEC_CONFIG) ; # tty devices
837 /dev/tty2 -> $(SEC_CONFIG) ; # tty devices
838 /dev/tty3 -> $(SEC_CONFIG) ; # are extremely
839 /dev/tty4 -> $(SEC_CONFIG) ; # variable
840 /dev/tty5 -> $(SEC_CONFIG) ;
841 /dev/tty6 -> $(SEC_CONFIG) ;
842 /dev/urandom -> $(SEC_CONFIG) ;
843 /dev/initctl -> $(SEC_CONFIG) ;
844 /var/lock/subsys -> $(SEC_CONFIG) ;
845 #/var/lock/subsys/amd -> $(SEC_CONFIG) ;
846 /var/lock/subsys/anacron -> $(SEC_CONFIG) ;
847 /var/lock/subsys/apmd -> $(SEC_CONFIG) ;
848 #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
849 /var/lock/subsys/atd -> $(SEC_CONFIG) ;
850 /var/lock/subsys/autofs -> $(SEC_CONFIG) ;
851 #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
852 #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
853 #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
854 #/var/lock/subsys/canna -> $(SEC_CONFIG) ;
855 /var/lock/subsys/crond -> $(SEC_CONFIG) ;
856 #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
857 #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
858 #/var/lock/subsys/firewall -> $(SEC_CONFIG) ;
859 #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
860 #/var/lock/subsys/gated -> $(SEC_CONFIG) ;
861 /var/lock/subsys/gpm -> $(SEC_CONFIG) ;
862 #/var/lock/subsys/httpd -> $(SEC_CONFIG) ;
863 #/var/lock/subsys/identd -> $(SEC_CONFIG) ;
864 #/var/lock/subsys/innd -> $(SEC_CONFIG) ;
865 /var/lock/subsys/ipchains -> $(SEC_CONFIG) ;
866 #/var/lock/subsys/iptables -> $(SEC_CONFIG) ;
867 #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
868 #/var/lock/subsys/irda -> $(SEC_CONFIG) ;
869 #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
870 #/var/lock/subsys/isdn -> $(SEC_CONFIG) ;
871 #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ;
872 #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
873 /var/lock/subsys/keytable -> $(SEC_CONFIG) ;
874 #/var/lock/subsys/kprop -> $(SEC_CONFIG) ;
875 #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
876 #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
877 /var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
878 #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
879 #/var/lock/subsys/ldap -> $(SEC_CONFIG) ;
880 #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ;
881 #/var/lock/subsys/lpd -> $(SEC_CONFIG) ;
882 #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
883 #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
884 #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
885 #/var/lock/subsys/named -> $(SEC_CONFIG) ;
886 /var/lock/subsys/netfs -> $(SEC_CONFIG) ;
887 /var/lock/subsys/network -> $(SEC_CONFIG) ;
888 #/var/lock/subsys/nfs -> $(SEC_CONFIG) ;
889 /var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
890 #/var/lock/subsys/nscd -> $(SEC_CONFIG) ;
891 #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
892 #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
893 #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
894 /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
895 /var/lock/subsys/portmap -> $(SEC_CONFIG) ;
896 #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
897 #/var/lock/subsys/pxe -> $(SEC_CONFIG) ;
898 #/var/lock/subsys/radvd -> $(SEC_CONFIG) ;
899 /var/lock/subsys/random -> $(SEC_CONFIG) ;
900 #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
901 /var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
902 /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
903 #/var/lock/subsys/ripd -> $(SEC_CONFIG) ;
904 #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
905 #/var/lock/subsys/routed -> $(SEC_CONFIG) ;
906 #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
907 #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
908 #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
909 #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
910 /var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
911 #/var/lock/subsys/smb -> $(SEC_CONFIG) ;
912 #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
913 #/var/lock/subsys/squid -> $(SEC_CONFIG) ;
914 /var/lock/subsys/sshd -> $(SEC_CONFIG) ;
915 /var/lock/subsys/syslog -> $(SEC_CONFIG) ;
916 #/var/lock/subsys/tux -> $(SEC_CONFIG) ;
917 #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
918 #/var/lock/subsys/ups -> $(SEC_CONFIG) ;
919 #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
920 #/var/lock/subsys/wine -> $(SEC_CONFIG) ;
921 /var/lock/subsys/xfs -> $(SEC_CONFIG) ;
922 /var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
923 /var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
924 #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
925 #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
926 #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
927 #/var/lock/subsys/zebra -> $(SEC_CONFIG) ;
928 /var/run -> $(SEC_CONFIG) ;
929 /var/log -> $(SEC_CONFIG) ;
930 /etc/ioctl.save -> $(SEC_CONFIG) ;
931 /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
932 /etc/issue -> $(SEC_CONFIG) ;
933 /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
934 /lib/modules -> $(SEC_CONFIG) ;
935 /etc/.pwd.lock -> $(SEC_CONFIG) ;
936 # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
937}
938
939# These files change the behavior of the root account
940(
941 rulename = "Root config files",
942 severity = 100
943)
944{
945 /root -> $(SEC_CRIT) ; # Catch all additions to /root
946 #/root/.Xresources -> $(SEC_CONFIG) ;
947 /root/.bashrc -> $(SEC_CONFIG) ;
948 /root/.bash_profile -> $(SEC_CONFIG) ;
949 /root/.bash_logout -> $(SEC_CONFIG) ;
950 /root/.cshrc -> $(SEC_CONFIG) ;
951 /root/.tcshrc -> $(SEC_CONFIG) ;
952 /root/Mail -> $(SEC_CONFIG) ;
953 #/root/mail -> $(SEC_CONFIG) ;
954 #/root/.amandahosts -> $(SEC_CONFIG) ;
955 #/root/.addressbook.lu -> $(SEC_CONFIG) ;
956 #/root/.addressbook -> $(SEC_CONFIG) ;
957 /root/.bash_history -> $(SEC_CONFIG) ;
958 /root/.elm -> $(SEC_CONFIG) ;
959 #/root/.esd_auth -> $(SEC_CONFIG) ;
960 /root/.gnome_private -> $(SEC_CONFIG) ;
961 /root/.gnome-desktop -> $(SEC_CONFIG) ;
962 /root/.gnome -> $(SEC_CONFIG) ;
963 /root/.ICEauthority -> $(SEC_CONFIG) ;
964 #/root/.mc -> $(SEC_CONFIG) ;
965 #/root/.pinerc -> $(SEC_CONFIG) ;
966 /root/.sawfish -> $(SEC_CONFIG) ;
967 /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
968 #/root/.xauth -> $(SEC_CONFIG) ;
969 /root/.xsession-errors -> $(SEC_CONFIG) ;
970}
971
972 ################################
973 # ##
974################################ #
975# # #
976# Critical configuration files # #
977# ##
978################################
979(
980 rulename = "Critical configuration files",
981 severity = $(SIG_HI)
982)
983{
984 #/etc/conf.linuxconf -> $(SEC_BIN) ;
985 /etc/crontab -> $(SEC_BIN) ;
986 /etc/cron.hourly -> $(SEC_BIN) ;
987 /etc/cron.daily -> $(SEC_BIN) ;
988 /etc/cron.weekly -> $(SEC_BIN) ;
989 /etc/cron.monthly -> $(SEC_BIN) ;
990 /etc/default -> $(SEC_BIN) ;
991 /etc/fstab -> $(SEC_BIN) ;
992 /etc/exports -> $(SEC_BIN) ;
993 /etc/group- -> $(SEC_BIN) ; # changes should be infrequent
994 /etc/host.conf -> $(SEC_BIN) ;
995 /etc/hosts.allow -> $(SEC_BIN) ;
996 /etc/hosts.deny -> $(SEC_BIN) ;
997 /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
998 /etc/protocols -> $(SEC_BIN) ;
999 /etc/services -> $(SEC_BIN) ;
1000 /etc/rc.d/init.d -> $(SEC_BIN) ;
1001 /etc/rc.d -> $(SEC_BIN) ;
1002 /etc/mail.rc -> $(SEC_BIN) ;
1003 /etc/modules.conf -> $(SEC_BIN) ;
1004 /etc/motd -> $(SEC_BIN) ;
1005 /etc/named.conf -> $(SEC_BIN) ;
1006 /etc/passwd -> $(SEC_CONFIG) ;
1007 /etc/passwd- -> $(SEC_CONFIG) ;
1008 /etc/profile.d -> $(SEC_BIN) ;
1009 /var/lib/nfs/rmtab -> $(SEC_BIN) ;
1010 /usr/sbin/fixrmtab -> $(SEC_BIN) ;
1011 /etc/rpc -> $(SEC_BIN) ;
1012 /etc/sysconfig -> $(SEC_BIN) ;
1013 /etc/samba/smb.conf -> $(SEC_CONFIG) ;
1014 #/etc/gettydefs -> $(SEC_BIN) ;
1015 /etc/nsswitch.conf -> $(SEC_BIN) ;
1016 /etc/yp.conf -> $(SEC_BIN) ;
1017 /etc/hosts -> $(SEC_CONFIG) ;
1018 /etc/xinetd.conf -> $(SEC_CONFIG) ;
1019 /etc/inittab -> $(SEC_CONFIG) ;
1020 /etc/resolv.conf -> $(SEC_CONFIG) ;
1021 /etc/syslog.conf -> $(SEC_CONFIG) ;
1022}
1023
1024 ####################
1025 # ##
1026#################### #
1027# # #
1028# Critical devices # #
1029# ##
1030####################
1031(
1032 rulename = "Critical devices",
1033 severity = $(SIG_HI),
1034 recurse = false
1035)
1036{
1037 /dev/kmem -> $(Device) ;
1038 /dev/mem -> $(Device) ;
1039 /dev/null -> $(Device) ;
1040 /dev/zero -> $(Device) ;
1041 /proc/devices -> $(Device) ;
1042 /proc/net -> $(Device) ;
1043 /proc/sys -> $(Device) ;
1044 /proc/cpuinfo -> $(Device) ;
1045 /proc/modules -> $(Device) ;
1046 /proc/mounts -> $(Device) ;
1047 /proc/dma -> $(Device) ;
1048 /proc/filesystems -> $(Device) ;
1049 /proc/pci -> $(Device) ;
1050 /proc/interrupts -> $(Device) ;
1051 /proc/driver/rtc -> $(Device) ;
1052 /proc/ioports -> $(Device) ;
1053 #/proc/scsi -> $(Device) ;
1054 /proc/kcore -> $(Device) ;
1055 /proc/self -> $(Device) ;
1056 /proc/kmsg -> $(Device) ;
1057 /proc/stat -> $(Device) ;
1058 /proc/ksyms -> $(Device) ;
1059 /proc/loadavg -> $(Device) ;
1060 /proc/uptime -> $(Device) ;
1061 /proc/locks -> $(Device) ;
1062 /proc/version -> $(Device) ;
1063 /proc/mdstat -> $(Device) ;
1064 /proc/meminfo -> $(Device) ;
1065 /proc/cmdline -> $(Device) ;
1066 /proc/misc -> $(Device) ;
1067}
1068
1069# Rest of critical system binaries
1070(
1071 rulename = "OS executables and libraries",
1072 severity = $(SIG_HI)
1073)
1074{
1075 /bin -> $(SEC_BIN) ;
1076 /lib -> $(SEC_BIN) ;
1077}
1078
1079#=============================================================================
1080#
1081# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
1082# Inc. in the United States and other countries. All rights reserved.
1083#
1084# Linux is a registered trademark of Linus Torvalds.
1085#
1086# UNIX is a registered trademark of The Open Group.
1087#
1088#=============================================================================
1089#
1090# Permission is granted to make and distribute verbatim copies of this document
1091# provided the copyright notice and this permission notice are preserved on all
1092# copies.
1093#
1094# Permission is granted to copy and distribute modified versions of this
1095# document under the conditions for verbatim copying, provided that the entire
1096# resulting derived work is distributed under the terms of a permission notice
1097# identical to this one.
1098#
1099# Permission is granted to copy and distribute translations of this document
1100# into another language, under the above conditions for modified versions,
1101# except that this permission notice may be stated in a translation approved by
1102# Tripwire, Inc.
1103#
1104# DCM
1105#
1106# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
1107#
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-09 22:34:09 +0000